Endpoint Protection

Friday, July 10th, 2009, I received 3 emails. 1 at 2:25pm, another at 3:00pm and the 3rd at 3:25pm.
They were for the same computer, a risk event.
Adware.Lop is named in 2 of them, I got a "quarantined" and a "details pending" among them.
I've tried to find this event in the logs, NOTHING.
I've tried to create a report on all risks for the month of July - it's not there!
Here's the 3 emails - note it's the same computer in all 3, the same IP address in all 3 and in fact the user CALLED US to report the alerts on her screen (both SEP and a phony AV report on how her computer was infected and at risk):
--------------------------------
Message from:
Server name: VRDSMSEP1
Server IP: 165.206.190.54

At least one security risk found:

Risk name: Adware.Lop
Event time: 2009-07-10 19:21:14 GMT
Database insert time: 2009-07-10 19:24:20 GMT
User: Denise.xxxxx
Computer: VR093240VT6H570
IP Address: 10.252.xx.xx
Domain: IVRS-SEP1
Server: VRDSMSEP2
Client Group: My Company\Client Computers\Desktop Action taken on risk: Access denied

---------------------------------
Message from:
Server name: VRDSMSEP1
Server IP: 165.206.190.54

At least one security risk found:

Risk name: Downloader
Event time: 2009-07-10 19:52:25 GMT
Database insert time: 2009-07-10 20:00:01 GMT
User: SYSTEM
Computer: VR093240VT6H570
IP Address: 10.252.xx.xx
Domain: IVRS-SEP1
Server: VRDSMSEP2
Client Group: My Company\Client Computers\Desktop Action taken on risk: Quarantined

------------------------------------
Message from:
Server name: VRDSMSEP1
Server IP: 165.206.190.54

At least one security risk found:

Risk name: Adware.Lop
Event time: 2009-07-10 19:29:33 GMT
Database insert time: 2009-07-10 19:32:01 GMT
User: SYSTEM
Computer: VR093240VT6H570
IP Address: 10.252.xx.xx
Domain: IVRS-SEP1
Server: VRDSMSEP2
Client Group: My Company\Client Computers\Desktop Action taken on risk: Details pending

--------------------------------

WHERE in the logs or a report do I search to find the details on this - I'd like to find the FILES that it says were at risk and so on..........

Why was this not logged?
Why is logging so complex and shallow?
And why are ports simply PIE CHARTS and not actual information?
All that aside, I need to show the LOGS to prove to management that this WAS infected, and THESE are the files proving it was WEB BASED.

Bottom line - why no log entries for this infection???

Frankly the notifications and reports simply suck (my opinion), but it's been like this since SAV reporter :)

If you want to see the file path, go to Monitors > Logs tab
Log Type of Risk.

There's where I was looking - the computer isn't in there anywhere. I went to monitors, logs, risk, and there's computers in there from before and after that one, but that particular one isn't listed.
That's where I THOUGHT I'd find "details"  - find the entry, highlight it, and choose details.
Nope, no such entry!
YET it sent me 3 emails from that date.

There's a SERIOUS problem with SEP's reporting or logging!
I just looked at the Monitors, logs, RISKS, ALL computers for the whole year.
It showed me a list of 32.
Bunk! We've had double that - just look at the quarantine server! Dozens of them!
Apparently when a workstation gets infected, it's NOT logged!
In other words, watch out folks, the logs appear to be pretty much worthless and without them, you can get no detail such as file locations or names of the infections as the email you get doesn't show that.

In my opinion, this product's logging and reporting piece has a serious flaw - logging and reporting is critical in enterprise and GOVERNMENT situations, IMO.

This needs to be run up the ladder.

(PS subscriptions still don't work properly here - I'm getting many emails on posts in areas I don't monitor, but never got a message on the single reply I got on this thread)

Bill,

The logs get pruned based on the "Admin/Server/Edit local site properties/Database/Delete risk events after" setting.  Mine is set for 60 days (not the default, I believe) and it shows me risk events up to 60 days prior.